Mozilla Foundation Security Advisory 2016-56

Use-after-free when textures are used in WebGL operations after recycle pool destruction

Announced

June 7, 2016

Reporter

jomo

Impact

High

Products

Firefox, Firefox ESR

Fixed in

Firefox 47

Firefox ESR 45.2

Description

Mozilla community member jomo reported a use-after-free crash when
processing WebGL content. This issue was caused by the use of a texture after its recycle
pool has been destroyed during WebGL operations, which frees the memory associated with
the texture. This results in a potentially exploitable crash when the texture is later
called.